Carbanak Group Targets Executives of Financial Organizations in the Middle East
Posted: Fri May 13, 2016 3:56 pm
ProofPoint
Pretty good write up on the exploit and such. Good reading material for the pooper, hahaThe Carbanak group is infamous for infiltrating various financial institutions, and stealing millions of dollars by learning and abusing the internals of victim payment processing networks, ATM networks and transaction systems. Recently, we detected Carbanak campaigns attempting to:
• Target high level executives in financial companies or in financial/decision-making roles in the Middle East, U.S. and Europe
• Spear-phishing emails delivering URLs, macro documents, exploit documents
• Use of Spy.Sekur (Carbanak malware) and commodity remote access Trojans (RATs) such as jRAT, Netwire, Cybergate and others used in support of operations.
1.1 Campaign Targeting Middle East (URLs leading to Exploit Docs)
On March 1st 2016, Proofpoint detected a targeted email sent to hand-picked individuals working for banks, financial organizations, and several professional service companies and companies selling enterprise software. These targets are high level executives and decision makers such as directors, senior managers, regional/country managers, operations managers. The majority of targets work in the Middle East region in countries such as UAE, Lebanon, Kuwait, Yemen and others.
The email contained a URL to a Microsoft Word document hosted on a compromised site churchmanarts[.]com. The document, WRONG_AMOUN-01032016.doc (SHA256: ac63520803ce7f1343d4fa31588c1fef6abb0783980ad0ba613be749815c5900), exploits
CVE-2015-2545 when opened to drop and execute a downloader from the client’s temporary folder. This document drops essentially the same payload every time, but slightly modified, possibly so that every execution results in a dropped file with a different hash.